Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
According to the monitoring of the SlowMist security team, the brahTOPG project on the ETH chain was attacked, and the attacker made a profit of about $89,879. The main reason for this attack is that the Zapper contract strictly checks the data passed in by the user, which leads to the problem of arbitrary external calls. The attacker uses this arbitrary external call problem to steal the tokens of users who are still authorized to the contract. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 89,879.
- chain
- —
- protocol
- brahTOPG
- bug_class
- external-call
- date_occurred
- 2022-11-10
- loss_usd
- $89,879
- source_id
- sm:brahtopg::2022-11-10